Appendices

Appendix A: Handling of Classified Information

Purpose and Scope

This data classification policy defines the requirements to ensure that information within the organization ("Shuffl") is protected at an appropriate level. This document applies to the entire scope of Shuffl’s information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written. This policy applies to all individuals and systems that have access to information kept by Shuffl.

Background

This policy defines the high level objectives and implementation instructions for the Shuffl’s data classification scheme. This includes data classification levels, as well as procedures for the classification, labeling and handling of data within Shuffl.

References

  1. Risk Assessment Policy

  2. Security Incident Management Policy

Policy

  • If classified information is received from outside the organization, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.

  • If classified information is received from outside the organization and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.

  • When classifying information, the level of confidentiality is determined by:

    • The value of the information, based on impacts identified during the risk assessment process. More information on risk assessments is defined in the Risk Assessment Policy (Reference 1).

    • Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.

    • Legal, regulatory and contractual obligations.

Table 1: Information Confidentiality Levels

Confidentiality Level

Label Classification

Criteria

Access Restrictions

Public

For Public
Release

Making the
information public
will not harm the
organization in any
way.

Information is
available to the
public.

Internal Use

Internal Use

Unauthorized access
may cause minor
damage and/or
inconvenience to the
organization.

Information is
available to all
employees and
authorized third
parties.

Restricted

Restricted

Unauthorized access
to information may
cause considerable
damage to the
business and/or the
organization’s
reputation.

Information is
available to a specific
group of employees
and authhorized
third parties.

Confidential

Confidential

Unauthorized access
to information may
cause catastrophic
damage to business
and/or the
organization’s
reputation.

Information is
available only to
specific individuals
in the organization.

  • Information must be classified based on confidentiality levels as defined in Table 1.

  • Information and information system owners should try to use the lowest confidentiality level that ensures an adequate level of protection, thereby avoiding unnecessary production costs.

  • Information classified as “Restricted” or “Confidential” must be accompanied by a list of authorized persons in which the information owner specifies the names or job functions of persons who have the right to access that information.

  • Information classified as “Internal Use” must be accompanied by a list of authorized persons only if individuals outside the organization will have access to the document.

  • Information and information system owners must review the confidentiality level of their information assets every five years and assess whether the confidentiality level should be changed. Wherever possible, confidentiality levels should be lowered.

  • For cloud-based software services provided to customers, system owners under the organization’s control must also review the confidentiality level of their information systems after service agreement changes or after a customer’s formal notification. Where allowed by service agreements, confidentiality levels should be lowered.

  • Information must be labeled according to the following:

    • Paper documents: the confidentiality level is indicated on the top and bottom of each document page; it is also indicated on the front of the cover or envelope carrying such a document as well as on the filing folder in which the document is stored. If a document is not labeled, its default classification is Internal Use.

    • Electronic documents: the confidentiality level is indicated on the top and bottom of each document page. If a document is not labeled, its default classification is Internal Use.

    • Information systems: the confidentiality level in applications and databases must be indicated on the system access screen, as well as on the screen when displaying such information.

    • Electronic mail/Email: the confidentiality level is indicated in the first line of the email body. If it is not labeled, its default classification is “Internal Use”.

    • Information transmitted orally: the confidentiality level should be mentioned before discussing information during face-to-face communication, by telephone, or any other means of oral communication.

  • All persons accessing classified information must follow the guidelines listed in Appendix A, “Handling of Classified Information.”

  • All persons accessing classified information must complete and submit a Confidentiality Agreement to their immediate supervisor or company point-of-contact. Incidents related to the improper handling of classified information must be reported in accordance with the Security Incident Management Policy (Reference 2).

Appendix A: Handling of Classified Information

Information and information systems must be handled according to the following guidelines:

  • Paper Documents

    • Internal Use

      • Only authorized persons may have access.

      • If sent outside the organization, the document must be sent as registered mail.

      • Documents may only be kept in rooms without public access.

      • Documents must be removed expeditiously from printers.

    • Restricted

      • The document must be stored securely in a locked cabinet.

      • Documents may be transferred within and outside the organization only in a closed envelope.

      • If sent outside the organization, the document must be mailed with a return receipt service.

      • Documents must immediately be removed from printers and fax machines.

      • Only the document owner may copy the document.

      • Only the document owner may destroy the document.

    • Confidential

      • The document must be stored in a safe.

      • The document may be transferred within and outside the organization only by a trustworthy person in a closed and sealed envelope.

  • Electronic Documents

    • Internal Use

      • Only authorized persons may have access.

      • When documents are exchanged via unencrypted file sharing services such as FTP, they must be password protected

      • Access to the information system where the document is stored must be protected by a strong password.

    • Restricted

      • Only persons with authorization for this document may access the part of the information system where this document is stored.

      • When documents are exchanged via file sharing services of any type, they must be encrypted.

      • Only the document owner may erase the document.

    • Confidential

      • The document must be stored in encrypted form.

      • The document may be stored only on servers which are controlled by the organization.

      • The document may only be shared via file sharing services that are encrypted such as HTTPS and SSH. Further, the document must be encrypted and protected with a string password when transferred.

  • Information Systems

    • Internal Use

      • Only authorized persons may have access.

      • Access to the information system must be protected by a strong password.

      • The information system may be only located in rooms with controlled physical access.

    • Restricted

      • Users must log out of the information system if they have temporarily or permanently left the workplace.

      • Data must be securely deleted.

    • Confidential

      • Access to the information system must be controlled through multi-factor authentication (MFA).

      • The information system may only be installed on servers controlled by the organization.

      • The information system may only be located in rooms with controlled physical access and identity control of people accessing the room.

  • Electronic Mail

    • Internal Use

      • Only authorized persons may have access.

      • The sender must carefully check the recipient.

      • All rules stated under “information systems” apply.

    • Restricted

      • Email must be encrypted if sent outside the organization.

    • Confidential

      • Email must be encrypted.

  • Information Transmitted Orally

    • Internal Use

      • Only authorized persons may have access to information.

      • Unauthorized persons must not be present in the room when the information is communicated.

    • Restricted

      • The room must be sound-proof.

      • The conversation must not be recorded.

    • Confidential

      • Conversation conducted through electronic means must be encrypted.

      • No transcript of the conversation may be kept.

In this document, controls are implemented cumulatively, meaning that controls for any confidentiality level imply the implementation of controls defined for lower confidentiality levels - if stricter controls are prescribed for a higher confidentiality level, then only such controls are implemented.

Standard Controls Satisfied

TSC CC9.9


Did this answer your question?